I have a very specific question about the transport encryption used at Windows Communication Foundation. I wrote a client and a service application.The service is hosted as Windows Service and started with a special user, let us say Jeremy.
My client is on a seperate computer but in the same domain. Communication happens over a net.tcp binding with a transport encryption.
Problem 1: if i sniff with wireshark, the first packages are in clear text
Problem 2: in the App.config of the client is a auto-generated identity-tag in the form of "jeremy@mycompany.com". If i set it blank everything is send in clear text. If i delete it, the program won't work.
Is anybody able to describe what exactly happens during the handshake? I thought Kerberos is fetching a ticket at the service to authenticate the client. But why is it in clear text then?
I hope somebody is able to help.
Edit: The clientCredentialType is of course Windows with protectionLevel: encryptAndSign
Ok after a lot of research I found out that this happend due to a discrepancy of Kerberos an NTLM.
The cleartext I mentioned is the handshake between server and client. So if I use Kerberos the clear text are only some chars which calls the service. If Kerberos is then not available or if you change the identity tag Kerberos falls back to NTLM which is responsible vor a much longer handshake and so on a few more clear text passages. I now forced the client to use Kerberos with following line:
<endpointBehaviors>
<behavior>
<clientCredentials>
<windows allowNtlm="false"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
At the windows security logs you can now see that authentication happens via Kerberos.
Here the links that helped me most to understand Kerberos and solve the problem:
https://blogs.msdn.microsoft.com/asiatech/2009/08/27/how-to-impersonate-or-delegate-a-client-in-wcf/
https://www.tecchannel.de/a/die-funktionsweise-von-kerberos,461645
https://msdn.microsoft.com/en-us/library/59hafwyt(v=vs.100).aspx